b'    VOLPE CENTER\xe2\x80\x99S INFORMATION\nTECHNOLOGY SECURITY AND RESOURCE\n      MANAGEMENT ACTIVITIES\n  Research and Innovative Technology Administration\n\n             Report Number: FI-2007-061\n             Date Issued: August 1, 2007\n\x0c           U.S. Department of\n                                                                Memorandum\n           Transportation\n           Office of the Secretary\n           of Transportation\n           Office of Inspector General\n\n\nSubject:   ACTION: Report on Volpe Center\xe2\x80\x99s Information                                   Date:    August 1, 2007\n           Technology Security and Resource Management\n           Activities, RITA\n           Report Number FI-2007-061\n  From:    Rebecca C. Leng                                                             Reply to\n                                                                                       Attn. of:   JA-20\n           Assistant Inspector General for Financial\n            and Information Technology Audits\n\n    To:    Acting Research and Innovative Technology Administrator\n\n           This report presents the results of our audit on the effectiveness of information\n           technology (IT) security and resource management activities at the John A. Volpe\n           National Transportation Systems Center in Cambridge, Massachusetts.\n\n           A fee-for-service organization within the Department of Transportation\xe2\x80\x99s (DOT)\n           Research and Innovative Technology Administration (RITA), the Volpe Center\n           conducts research on critical transportation initiatives, such as aviation safety and\n           Global Positioning System tracking for vessels and hazardous materials. In\n           addition, Volpe provides operational support for vital DOT business operations,\n           such as hosting the Federal Aviation Administration\xe2\x80\x99s (FAA) Enhanced Traffic\n           Management System, DOT websites, and the implementation of the security\n           access system for DOT\xe2\x80\x99s new Headquarters.\n\n           To support its user-fee operations, Volpe has established a complex network\n           infrastructure. 1 Protected by security firewalls, this infrastructure provides\n           interconnected networks and remote connections via the Internet for its\n           550 Federal employees and 850 contractor staff. Volpe personnel use these\n           network computers to conduct sensitive research and develop new systems for\n           customers. The network infrastructure also supports Volpe\xe2\x80\x99s administrative\n           systems, such as e-mail and procurement management.\n\n\n\n           1\n               A network infrastructure consists of a set of hardware and software used to interconnect computers and users,\n               regardless of their physical locations.\n\x0c                                                                                                    2\n\n\nOur objectives were to determine whether (1) Volpe\xe2\x80\x99s network infrastructure and\nconnection entry points are adequately secured to protect the Center\xe2\x80\x99s critical\ninformation assets, (2) Volpe\xe2\x80\x99s information systems are properly accredited\n(secured) to support business operations, and (3) Volpe is leveraging departmental\nIT resources to maximize cost savings. We performed this audit in accordance\nwith Generally Accepted Government Auditing Standards as prescribed by the\nComptroller General of the United States and conducted such tests as we\nconsidered appropriate to detect fraud. Details of our scope and methodology are\npresented in Exhibit A.\n\n\nRESULTS IN BRIEF\nVolpe has established adequate firewall security to protect its IT infrastructure\nfrom intrusion or unauthorized access from the Internet. However, Volpe\ncomputers remained vulnerable to attacks by insiders\xe2\x80\x94employees, contractor\nstaff, and remote users from DOT\xe2\x80\x99s interconnected networks. 2 We found that\nVolpe\xe2\x80\x99s network vulnerability assessment was not effective in identifying security\nvulnerabilities and that network computers were not configured in accordance with\ndepartmental security standards to prevent weaknesses.\n\nIn addition, Volpe\xe2\x80\x99s system security certification review did not meet a key\nrequirement. As part of this review, management must develop and test the\nsystem contingency plan to ensure continued operation in case of disaster. While\nVolpe reported that its systems have undergone such testing, the testing was\nlimited to tabletop exercises\xe2\x80\x94procedural walkthroughs. Volpe management has\nnot yet tested its capability to resume system operations at its designated recovery\nsite. In case of disruption due to power loss or disaster, both Volpe and customer\nsystems might be affected.\n\nFinally, Volpe has made good progress in leveraging departmental resources for\nmore efficient operations. For example, it has converted its stand-alone financial\nand personnel/payroll systems to DOT\xe2\x80\x99s consolidated system solutions and is\nusing the departmental enterprise licensing agreement to procure Oracle products\nfor cost savings. We, however, identified two additional opportunities warranting\nmanagement attention. First, Volpe was not included in the Department\xe2\x80\x99s\nenterprise license agreement and had to negotiate its own licensing agreement with\nMicrosoft. In addition, Volpe, along with several other DOT Operating\nAdministrations are paying separate license fees for using a software company\xe2\x80\x99s\nprocurement system. Consolidating these operations with the Department could\nenable Volpe to further reduce costs.\n\n\n2\n    In March 2007, Volpe added firewall security between the DOT Headquarters and Volpe networks.\n\x0c                                                                                3\n\n\nWe provided a draft of this report to RITA for comment on May 15, 2007, and on\nJuly 18 we received the Agency\xe2\x80\x99s response. RITA concurred with our conclusions\nand stated that the majority of the recommendations have already been either fully\nor partially addressed. The response further stated that comprehensive plans are\nbeing developed for the completion of all remaining issues. A complete set of our\nrecommendations can be found starting on page 9 of this report. RITA\xe2\x80\x99s response\ncan be found in its entirety in the appendix.\n\n\nFINDINGS\n\nVolpe\xe2\x80\x99s Network Infrastructure Was Not Properly Secured and\nRemained Vulnerable to Attack by Insiders\nWhile Volpe had adequate security protection to prevent unauthorized access from\nthe Internet, its network remained vulnerable to attack by insiders, including\nemployees, contractors, and remote users from DOT\xe2\x80\x99s interconnected networks.\nThe Volpe network infrastructure consisted of its data center (which housed\ncritical information systems); devices controlling the network connection to\nDOT\xe2\x80\x99s Headquarters, FAA, and the Internet; and computers used to conduct\nresearch or develop customer systems (see figure 1).\n\n           Figure 1. Current Volpe Network Infrastructure\n\n\n\n\n     Source: OIG based on Volpe data\n\x0c                                                                                                                  4\n\n\nVolpe\xe2\x80\x99s Network Vulnerability Assessment Was Not Effective in Identifying\nSecurity Weaknesses\nVolpe management relies on a contractor to scan its network, including web\nservers, to identify vulnerabilities for correction. These vulnerability assessments\nwere infrequent\xe2\x80\x94only on a quarterly basis\xe2\x80\x94and too limited in scope.\nConversely, DOT performs vulnerability scans on its major systems, such as DOT\nwebsites and internal networks, on a weekly basis. Scanning for network\nvulnerabilities on a quarterly basis is not frequent enough to identify potential\nweaknesses, considering that new vulnerabilities are discovered virtually on a\ndaily basis. According to the National Institute of Standards and Technology\n(NIST), during January 2007 alone, more than 300 new vulnerabilities were found\non various commercial software products.\n\nThe assessment performed by the contractor was also too limited in scope to\nprovide security assurance. The contractor\xe2\x80\x99s assessment in May 2006 identified\n47 high-risk vulnerability incidents on about 90 computers. We performed\nindependent assessments in May and November 2006, and discovered more than\n8,800 potential vulnerability incidents\xe2\x80\x94over half high-risk\xe2\x80\x94on 412 affected\ncomputers and network printers (see table 1). 3\n\n\n           Table 1. Volpe Center Network Vulnerability Incident\n                           Assessment Results\n      Equipment         Total        Number of              Potential Vulnerability             Total\n                       Number        Hosts With                   Incidents                   Potential\n                          of        Vulnerabilities                                          Vulnerability\n                        Hosts                             High       Medium         Low       Incidents\n                       Tested\n      Computers         1170                397           2598          509       3802            6909\n      Network\n      printers            88                 15           1848           33         73            1954\n       Total            1258                412           4446          542       3875            8863\n     Source: OIG\n\nAs acknowledged by Volpe management, one computer could contain multiple\nincidents of the same vulnerability. For example, using weak passwords to\nauthenticate users is a vulnerability because they could be easily cracked or\nguessed. If five users were found to use weak passwords to gain access to one\ncomputer, five vulnerability incidents would be included in table 1. We are\n\n\n\n3\n    High-risk vulnerabilities may provide an attacker with immediate access into a computer system, such as allowing\n    execution of remote commands. Medium-risk and low-risk vulnerabilities may provide attackers with useful\n    information, such as password files, that they can then use to compromise a computer system.\n\x0c                                                                                                                      5\n\n\nreporting the total number of vulnerability incidents because multiple incidents\nrequire multiple corrections. 4\n\nBy using the vulnerabilities identified on 15 database systems deployed for project\ndevelopment, we were able to take full control of 7 systems, including those used\nto develop the Advanced Retrieval (Tire, Equipment, Motor Vehicles) Information\nSystem (ARTEMIS). 5 We could have corrupted the data stored in these systems\nor launched denial-of-service attacks to disrupt the development work.\n\n\nNetwork Computers and Databases Did Not Meet DOT Security\nConfiguration Standards and Were Not Adequately Reviewed\nDOT policy 6 requires all computers to be configured in compliance with\ndepartmental minimum security standards. Yet according to Volpe officials, such\nstandards were not previously enforced and are now being implemented only on\nnewly deployed computers. Existing systems\xe2\x80\x99 configurations were not checked by\nVolpe to ensure compliance. In fact, the vulnerabilities we identified were largely\ncaused by improper configuration.\n\nAlso, the security certification and accreditation (C&A) review performed in 2004\non Volpe\xe2\x80\x99s network infrastructure, known as the General Support System/Local\nArea Network (GSS/LAN), was too limited. It did not cover all key components\nused to support Volpe\xe2\x80\x99s missions.\n\nFor example, the risk assessment was conducted at the data center and did not\ncover other key areas of Volpe\xe2\x80\x99s LAN, such as the network connection to the\nInternet and computers that were used to support and maintain its networks.\nWithout performing a full assessment of its entire network infrastructure\xe2\x80\x94the\nmost complex and vital system\xe2\x80\x94Volpe cannot be assured that it is providing an\nadequate level of security protection to its business operations.\n\n\nNetwork Security Weaknesses Could Adversely Affect Volpe\xe2\x80\x99s Business\nOperations\nIt is important that appropriate security controls be in place to protect the Volpe\nCenter\xe2\x80\x99s critical IT infrastructure and information assets, which are used to\nsupport Volpe\xe2\x80\x99s user-fee operations. In 2006, Volpe had 424 projects underway,\nwith annual obligations totaling about $262 million. More than 60 percent of the\n\n4\n    According to Volpe, there were a total of 1,838 potential vulnerabilities\xe2\x80\x94359 high, 534 medium, and 945 low\xe2\x80\x94for\n    the 8,863 incidents identified during the audit.\n5\n    This system is used by the National Highway Traffic Safety Administration to collect and categorize product data, as\n    well as death and injury data submitted by manufacturers, to identify potential tire defects in order to prevent any\n    additional vehicle-related injuries and deaths.\n6\n    DOT IT and Information Assurance Policy 2006-04, April 3, 2006.\n\x0c                                                                                   6\n\n\nprojects were for DOT customers. The rest were for other Federal agencies, state\nand local governments, the private sector, and international entities (see table 2).\n\n\n               Table 2. Volpe Customer Projects in 2006\n\n             Customers            Number of        Total New Obligation\n                                    Active        Authority Transferred to\n                                   Projects        Volpe ($ in millions)\n       DOT\n         FAA                           74                    $81.9\n         Others                       196                    $88.7\n       Non-DOT\n         Other Federal\n        Agencies                      126                    $88.4\n         State/local\n        Government                     16                     $2.0\n         Private sector                 8                     $0.3\n         International                  4                     $0.6\n         Total                        424                   $261.9\n      Source: Volpe\n\nAny potential security weaknesses could jeopardize the confidentiality, integrity,\nand availability of Volpe\xe2\x80\x99s services to its customers. Further, its interconnectivity\nwith DOT networks means that security weaknesses on Volpe\xe2\x80\x99s network could\ncompromise DOT computer systems or vice versa, which, in turn, could\npotentially limit the Department\xe2\x80\x99s ability to conduct its vital business to support\nour national transportation system.\n\nAccording to Volpe and RITA management, security weaknesses in network\nassessment and computer configuration were caused primarily by significant staff\nturnover at the Volpe Center. During the last 2 years, Volpe had to fill its chief\ninformation officer (CIO) position four times, which led to restructuring of duties\nwithin the CIO\xe2\x80\x99s office on several occasions. This high rate of turnover required\nits key personnel to assume multiple roles and responsibilities that were loosely\ndefined, resulting in inadequate procedures for network vulnerability assessment\nand lax oversight of contractor work to provide adequate network security.\n\nVolpe is in the process of recertifying the security protection of the GSS/LAN and\nmust ensure that the review covers all network components at the Volpe Center.\nIn response to our identified vulnerabilities, Volpe acted immediately to correct\nthe confirmed high-risk vulnerabilities and review the remaining ones. According\nto Volpe officials, over 75 percent of high-risk vulnerabilities were corrected. In\naddition, Volpe management has hired a new contractor to perform ongoing\n\x0c                                                                                   7\n\n\nassessments of its network vulnerabilities and recently drafted new operating\nprocedures to direct the contractor\xe2\x80\x99s network vulnerability assessment work.\n\n\nSecurity Evaluation for an Operational System Was Not Completed,\nand Contingency Plans To Recover Critical System Operations Were\nNot Tested\nThe Department requires Operating Administrations to report systems used to\nsupport agency missions in the official systems inventory and conduct systems\nsecurity C&A reviews of these systems before they become operational. After\nthat, system security needs to be re-certified every 3 years or upon major changes\nto the system. Security certification reviews provide senior management with the\nassurance that the information systems they rely on are meeting the minimum\nGovernment security standards to ensure the integrity, confidentiality, and\navailability of business operations.\n\n\nSecurity Evaluation Not Complete\nVolpe depends on five information systems to support its missions. We found that\nit omitted two systems from the official systems inventory and did not complete\nthe required security certification review on one of the systems it did identify,\ncalled the Facility Physical Security System (see table 3).\n\n                    Table 3. Volpe Systems Inventory\n               System                      Included in      Received Security\n                                      Systems inventory?   Certification Review?\n     General Support System/LAN                Yes                   Yes\n     Administrative Support                    Yes                   Yes\n     Procurement                               Yes                   Yes\n     Data Warehouse                            No                    Yes\n     Facility Physical Security                No                    No\n    Source: OIG based on DOT and Volpe data\n\nVolpe relies on the Facility Physical Security System to control access to various\nparts of the building, including areas housing sensitive research work. The system\nhas been in operation for 3 years. According to Volpe management, it initiated the\nsecurity C&A review of this system in January 2006; however, it has not yet\ncompleted the review. Once this system\xe2\x80\x99s C&A review is complete, the system\nwill be able to be relied upon to control physical access to the Volpe facility.\n\x0c                                                                                 8\n\n\nSystem Contingency Plan Not Tested\nAs part of the security C&A review, management must develop and test the\nsystem contingency plan to ensure continued operation in case of disaster. While\nVolpe reported that its systems have undergone such testing, we found that the\ntesting was limited to tabletop exercises\xe2\x80\x94procedural walkthroughs. Volpe\nmanagement has not yet tested the capability to resume system operations at its\ndesignated recovery site.\n\nIn addition to the five systems used to support its mission, Volpe houses customer\nsystems for other DOT Operating Administrations and one non-DOT entity. The\ncustomer service agreement between Volpe and these customers specifies whether\nVolpe or the customer is responsible for disaster recovery. At least one DOT\ncustomer has asked Volpe to be responsible for developing and testing the\ncontingency plan for the customer\xe2\x80\x99s system.\n\nShould the Volpe data center become nonfunctional due to loss of power or a\ndisaster, both Volpe and the customer\xe2\x80\x99s business operations would be disrupted.\nTo mitigate this risk, Volpe signed an agreement with a commercial vendor to use\nthe vendor\xe2\x80\x99s facility as the systems recovery site. However, 3 years after signing\nthe agreement, Volpe has never conducted on-site testing to ensure that systems\ncould indeed be recovered at the vendor\xe2\x80\x99s site in a timely manner.\n\nIn May 2006, Volpe conducted limited testing of the network connectivity\nbetween the systems recovery site and the alternate work site, where key Volpe\npersonnel would be relocated in case of disaster. However, the network capacity\nestablished during the test only supported two customer systems and did not cover\nall Volpe systems at the recovery site in case of disaster. Accordingly, all Volpe\nand customer systems and associated business operations remain at risk. After we\nbrought this concern to Volpe management\xe2\x80\x99s attention, we were informed that\nVolpe plans to conduct full recovery testing in August of this year.\n\nAs stated above, Volpe has experienced a significant gap in its IT leadership and\nhigh turnover rates among key staff in recent years. As a result, contingency plan\ntesting was overlooked and there has been a lack of progress in reviewing, testing,\nand certifying that the Facility Physical Security System is adequately secured to\nsupport Volpe operations.\n\n\nVolpe Is Using Departmental IT Resources for Cost Savings, but More\nCan Be Done\nThe Presidential Electronic-Government (e-Gov) initiative aims to facilitate the\ncost-effective acquisition of all goods and services and requires Federal agencies\nto consolidate common and general support services. In recent years, Volpe has\n\x0c                                                                                                                9\n\n\nmade good progress in consolidating its common IT operations by leveraging\ndepartmental resources. For example, it has converted its stand-alone financial\nand personnel/payroll systems to DOT\xe2\x80\x99s consolidated system solutions. In\naddition, Volpe has utilized the departmental enterprise licensing agreement to\nprocure Oracle software for cost savings. However, we found two areas that\nwarrant management attention.\n\nFirst, the Department has negotiated an enterprise licensing agreement that would\nprovide savings on the acquisition of Microsoft products. However, Volpe\nmanagement was not aware of the departmental license with Microsoft.\nAccording to Volpe management, this was largely due to Volpe\xe2\x80\x99s frequent staff\nturnover. Between November 2004 and November 2005, Volpe negotiated its\nown agreements to acquire 1,810 licenses of Microsoft products and later\nacquiring an additional 700 licenses in 2007 for a total cost of $224,000. Due to\ndifferent contract terms in the departmental and Volpe licensing agreements, we\nwere unable to assess the potential cost savings had Volpe utilized the\ndepartmental licensing agreement to procure the 2,510 licenses for Microsoft\nproducts. However, the departmental agreement was structured to save money on\nlarge quantities of software purchases. Therefore, Volpe should work with the\nDepartment and in the future utilize DOT licensing agreements.\n\nSecond, Volpe is using a commercial procurement system marketed by\nCompuSearch, called PRISM, with an annual license fee. Meanwhile, several\nother DOT Operating Administrations also use this commercial procurement\nsystem and are paying CompuSearch separate license fees. In FY 2005, the\nDepartment identified potential cost savings by consolidating Operating\nAdministrations\xe2\x80\x99 use of this commercial system. 7 However, according to\nDepartment officials, this consolidation effort has been suspended due to a lack of\nfunding. We plan to follow up on this issue with departmental management;\ntherefore, we are not making any recommendations on this issue at this time.\n\n\nRECOMMENDATIONS\nWe recommend that the Acting RITA Administrator direct the Volpe Director to:\n\n1. Strengthen Volpe network security by:\n\n      a. Assigning a high priority to correcting remaining high-risk vulnerabilities\n         identified on Volpe computers during our audit and establishing a timetable\n         to remediate all other vulnerabilities.\n\n\n7\n    OIG report \xe2\x80\x9cOffice of the Chief Information Officer\xe2\x80\x99s Budget,\xe2\x80\x9d Report Number FI-2005-055, March 31, 2005.\n\x0c                                                                                  10\n\n\n   b. Finalizing the procedures for network vulnerability scanning and\n      remediation and ensuring that they are properly implemented by the\n      contractors.\n\n   c. Fully implementing the Department\xe2\x80\x99s security configuration standards for\n      commercial software products operating on all Volpe computers.\n\n   d. Ensuring that all critical network infrastructure components are included in\n      the current security certification review of the General Support\n      System/Local Area Network.\n\n2. Enhance protection of systems in operation by:\n\n   a. Completing the security certification and accreditation review of the\n      Facility Physical Security System and ensuring that all systems are included\n      in the Department\xe2\x80\x99s official systems inventory for tracking and\n      management review.\n\n   b. Conducting systems recovery testing at the back-up site for Volpe and for\n      customer systems for which it is responsible.\n\n   c. Testing network connectivity between the system recovery site and the\n      alternate work site to ensure that network capacity can fully support Volpe\n      business operations.\n\n3. Achieve cost savings by working with the Department\xe2\x80\x99s Chief Information\n   Officer to ensure that Volpe is given an opportunity to participate in and utilize\n   future Department-wide enterprise software licensing agreements.\n\n\nAGENCY COMMENTS AND OFFICE OF INSPECTOR GENERAL\nRESPONSE\nA draft of this report was provided to RITA for comment on May 15, 2007, and on\nJuly 18 we received the Agency\xe2\x80\x99s response, which can be found in its entirety in\nthe appendix. RITA concurred with our conclusions and stated that the majority\nof the recommendations have already been either fully or partially addressed. The\nresponse further stated that comprehensive plans are being developed for the\ncompletion of all remaining issues.\n\nThe corrective actions that RITA and the Volpe management have taken, and plan\nto take, adequately address the intent of our recommendations. Management\nresponses to our recommendations are summarized below:\n\x0c                                                                                11\n\n\nRecommendation 1.a: RITA concurred. All identified vulnerabilities that were\nrelated to software updates or patching were remediated. The remaining\nvulnerabilities requiring system reconfigurations will be corrected by June 2008,\nand those requiring system replacements will be completed by September 2009.\n\nRecommendation 1.b: RITA concurred. The vulnerability scanning and\nremediation process has been updated in compliance with DOT standards. The\nnew process assigns responsibility of monitoring and remediation to individual\nsystems owners: both Volpe Center institutional assets and projects. Currently,\nVolpe is using the Foundstone Enterprise scan tool to track remediation efforts and\nprovide oversight to ensure compliance.\n\nRecommendation 1.c: RITA concurred. The Volpe Center is now deploying all\nnew file servers, workstations, and laptops in accordance with DOT security\nconfiguration standards. The task of upgrading the existing file servers,\nworkstations, and laptops to DOT\xe2\x80\x99s 2007 security standards will be completed by\nSeptember 2008. Remaining issues that can only be corrected with system\nreplacement will be corrected by September 2009.\n\nRecommendation 1.d: RITA concurred. The current Volpe LAN/GSS C&A\nreview package will include all critical network infrastructure components. The\nreview will be completed by October 30, 2007.\n\nRecommendation 2.a: RITA concurred. The C&A review of Facility Physical\nSecurity System will be completed by October 30, 2007. Volpe will also include\nall systems in DOT\xe2\x80\x99s system inventory by July 31, 2007.\n\nRecommendation 2.b: RITA concurred. Off-site COOP and disaster recovery\nexercise will be completed by October 30, 2007.\n\nRecommendation 2.c: RITA concurred. Network connectivity testing of Volpe\ninstitutional systems will be conducted as part of the COOP exercise to be\ncompleted by October 30, 2007.\n\nRecommendation 3: RITA concurred. The Volpe Center and the Office of the\nSecretary have agreed that the Volpe Center will be included in all future DOT\nMicrosoft enterprise license agreements.\n\n\nACTIONS REQUIRED\nRITA\xe2\x80\x99s actions taken and planned satisfy the intent of our recommendations,\nsubject to follow-up provisions in DOT Order 8000.1C. We appreciate the\ncourtesies and cooperation of the Research and Innovative Technology\n\x0c                                                                               12\n\n\nAdministration, especially Volpe Center representatives, during this audit. If you\nhave any questions concerning this report, please contact me at (202) 366-1496 or\nEdward Densmore, Program Director, at (202) 366-4350.\n\n                                        #\n\ncc: Director, Volpe Center\n    Chief Information Officer, DOT\n    Chief Information Officer, RITA\n    Martin Gertel, M-1\n    Dilcy Garro, RTV-1\n\x0c                                                                                13\n\n\n\n\nEXHIBIT A. SCOPE AND METHODOLOGY\nThe audit field work was performed between May 2006 and March 2007 at the\nVolpe Center in Cambridge, Massachusetts, and RITA Headquarters in\nWashington, D.C. The audit was conducted in accordance with Generally\nAccepted Government Auditing Standards prescribed by the Comptroller General\nof the United States and included such tests as we considered necessary to provide\nreasonable assurance of detecting fraud, abuse or illegal acts.\n\nWe examined the underlying network infrastructure supporting Volpe missions,\nincluding Internet entry points, remote access connections, and the private\nnetwork. In addition, we reviewed Volpe firewall configuration files and security\npolicies and procedures. Using commercial network scanning tools and other\ncommonly available software utilities, we performed two network scans that\ncovered Volpe\xe2\x80\x99s internal network and critical network devices such as firewalls\nand routers. We also performed limited internal penetration testing to validate the\nidentified vulnerabilities.\n\nWe reviewed Volpe\xe2\x80\x99s certification and accreditation documents, continuity of\noperations plans, IT systems inventory, and plan of actions and milestones. We\nalso visited the Center\xe2\x80\x99s back-up and alternate work sites located in\nMassachusetts.\n\nFinally, we reviewed Volpe\xe2\x80\x99s IT procurement practices for major hardware and\nsoftware applications and DOT\xe2\x80\x99s existing enterprise licensing and blanket\npurchase agreements.\n\nWe interviewed key officials, including systems owners, network and database\nadministration officials, and senior management.\n\n\n\n\nExhibit A. Scope and Methodology\n\x0c                                                                     14\n\n\n\n\nEXHIBIT B. MAJOR CONTRIBUTORS TO THIS REPORT\nName                                   Title\n\nEdward Densmore                        Program Director\n\nDr. Ping Z. Sun                        Project Manager\n\nHenry Lee                              Senior Computer Scientist\n\nAaron Nguyen                           Computer Scientist\n\nVasily Gerasimov                       Information Technology Specialist\n\nAtul Darooka                           Information Technology Specialist\n\nMichael P. Fruitman                    Communications Adviser\n\nHarriet Lambert                        Writer-Editor\n\n\n\n\nExhibit B. Major Contributors to This Report\n\x0c                                                                                           15\n\n\n\n\nAPPENDIX. MANAGEMENT COMMENTS\n\n\n                                                 The Administrator         1200 New Jersey Avenue, S.E.\nU.S. Department                                                            Washington, D.C. 20590\nof Transportation\nResearch and\nInnovative Technology\nAdministration\n\n\n\nJuly 18, 2007\n\nINFORMATION MEMORANDUM TO THE INSPECTOR GENERAL\n\nFrom:                   John A. Bobo, Jr., Acting Administrator\n                        (202) 366-7582\n\nThru:                   Curtis J. Tompkins, Director, Volpe Center\n                        (617) 494-2222\n\nPrepared by:            C. Eric Frykenberg, Chief Information Officer, Volpe Center\n                        (617) 494-4810\n\nRe:                     Volpe Center Response to Draft OIG Audit of Volpe Center\xe2\x80\x99s Information\n                        Technology Security and Resource Management Activities\n\n\nSUMMARY\n\nThis memorandum is provided in response to the Office of Inspector General\xe2\x80\x99s (OIG) request for\nthe Research and Innovative Technology Administration/Volpe National Transportation Systems\nCenter (RITA/Volpe Center) management comments and statement of actions to be taken on the\nOIG\xe2\x80\x99s \xe2\x80\x9cDraft Report on Audit of Volpe Center\xe2\x80\x99s Information Technology Security and Resource\nManagement Activities\xe2\x80\x9d provided on July 16, 2007.\n\nMany work hours were expended by the Volpe Center staff and OIG audit team during the May\n2006 to November 2006 time-frame of the audit. RITA/Volpe Center considers the OIG audit to\nhave been an overall positive and beneficial process and appreciates the contributions of all\npersonnel involved.\n\nRemediation of all issues raised is a top priority for RITA and the Volpe Center. The majority of\nreport recommendations have already been either fully or partially remediated and\ncomprehensive plans are being developed for the completion of all remaining issues.\n\n\n\nAppendix. Management Comments\n\x0c                                                                                      16\n\n\nRITA provides the following status update on the OIG recommendations.\n\n1.    Strengthen Volpe Center Network Security by:\n\n      a. Assigning a high priority to correcting remaining high risk vulnerabilities\n      identified on Volpe Center computers during our audit and establishing a timetable\n      to remediate all other vulnerabilities.\n\n      Volpe Center response: Concur\n      Status: The Volpe Center has remediated all software updates and/or security patching\n      vulnerabilities identified in the IG scan. All vulnerabilities requiring system\n      reconfigurations will be corrected by June 2008, and all vulnerabilities requiring system\n      replacement will be completed by September 2009.\n\n      b. Finalizing the procedures for network vulnerability scanning and remediation,\n      and ensuring that they are properly implemented by the contractors.\n\n      Volpe Center response: Concur\n      Status: The vulnerability scanning and remediation process has been updated since the\n      IG inspection and is now compliant with DOT standards. The Volpe Center now has a\n      more comprehensive process in place that assigns responsibility for monitoring and\n      remediation to individual system owners. This includes both the Volpe Center\n      institutional assets and projects. The Foundstone Enterprise scan tool now allows the\n      Volpe Center to track remediation efforts and provide oversight to ensure compliance.\n\n      c. Fully implementing the Department\xe2\x80\x99s security configuration standards for\n      commercial software products operating on all Volpe Center computers.\n\n      Volpe Center response: Concur\n      Status: The Volpe Center is now deploying all new file servers, workstations, and laptops\n      in accordance with DOT security configuration standards. The task of upgrading the\n      existing installed base of all file servers, workstations, and laptops to DOT\xe2\x80\x99s 2007\n      security standards is an extensive project. All system reconfigurations will be completed\n      by September 2008. Remaining issues that can only be corrected with system\n      replacement will be corrected by September 2009.\n\n      d. Ensuring that all critical network infrastructure components are included in the\n      current security certification review of the General Support System/Local Area\n      Network.\n\n      Volpe Center response: Concur\n      Status: The current LAN/GSS Certification and Accreditation package will include a\n      comprehensive assessment of all critical network infrastructure components.\n      Expected completion date is October 30, 2007.\n\n\n\n\nAppendix. Management Comments\n\x0c                                                                                    17\n\n\n2.   Enhance protection of systems in operation by:\n\n     a. Completing the security certification and accreditation review of the Facility\n     Physical Security System and ensuring that all systems are included in the\n     Department\xe2\x80\x99s official systems inventory for tracking and management review.\n\n     Volpe Center response: Concur\n     Status: Certification and accreditation of Facility Physical Security System (termed\n     Security Access System (SAS) will be completed by October 30, 2007.\n\n     b. Conducting systems recovery testing at the backup site for Volpe Center and for\n     customer systems for which it is responsible.\n\n     Volpe Center response: Concur\n     Status: Off-site Continuity of Operations Plan (COOP) and Disaster Recovery (DR)\n     exercise to be completed by October 30, 2007.\n\n     c. Testing network connectivity between the system recovery site and the alternate\n     work site.\n\n     Volpe Center response: Concur\n     Status: On May 17, 2006, the Volpe FMCSA project successfully conducted a\n     DataComm test of remote connectivity between the SunGuard cold site and the SunGuard\n     hot site. Network connectivity testing of Volpe institutional systems will be conducted as\n     part of the COOP exercise to be completed by October 30, 2007.\n\n3.   Achieve cost savings by working with the Department\xe2\x80\x99s Chief Information Officer\n     to ensure that the Volpe Center is given an opportunity to participate in and utilize\n     future Department wide enterprise software licensing agreements.\n\n     Volpe Center response: Concur\n     Status: The Volpe Center fully supports utilization of DOT enterprise software licensing\n     agreements. The Volpe Center and OST have agreed that the Volpe Center will be\n     included in all future DOT Microsoft enterprise license agreements. The Volpe Center\n     is already included in all other DOT enterprise license and blanket purchase agreements\n     such as Oracle, Safeboot, eTrust, and Dell.\n\n\n\n\nAppendix. Management Comments\n\x0cThe following pages contain textual versions of the graphs and charts found in this\ndocument. These pages were not in the original document but have been added\nhere to accommodate assistive technology.\n\x0cVolpe Center\xe2\x80\x99s Information Technology Security and Resource Management\n                               Activities\n\n                         Section 508 Compliance Presentation\n\n\nFigure 1. Current Volpe Network Infrastructure\n\nThe diagram shows the network infrastructure:\n   \xe2\x80\xa2 A firewall connecting Volpe LAN, Web Servers and Internet.\n   \xe2\x80\xa2 A firewall connecting Volpe LAN, Customer Project networks and DOT\n      headquarters.\n   \xe2\x80\xa2 A firewall connecting Volpe LAN and FAA WAN.\n   \xe2\x80\xa2 FAA WAN is connected to ETMS network.\n   \xe2\x80\xa2 Volpe LAN, Customer Projects, Web Servers and ETMS are within the\n      border of the John A. Volpe National Transportation Systems Center\n      Campus.\n\nSource: OIG based on Volpe Data\n\nTable 1. Volpe Center Network Vulnerability Incident Assessment Results\n\n    \xe2\x80\xa2 397 of 1170 computers were found having vulnerabilities. A total of 6909\n      potential vulnerability incidents were identified: 2598 high, 509 medium,\n      and 3802 low.\n    \xe2\x80\xa2 15 of 88 network printers were found having vulnerabilities. A total of\n      1954 potential vulnerability incidents were identified: 1848 high, 33\n      medium, and 73 low.\n    \xe2\x80\xa2 Total 412 of 1258 hosts (computers and network printers) were found\n      having vulnerabilities. A total of 8863 potential vulnerability incidents were\n      identified: 4446 high, 542 medium, 3875 low.\n\nSource: OIG\n\nTable 2. Volpe Customer Projects in 2006\n\n    \xe2\x80\xa2 DOT customer FAA has 74 active projects with a total of $81.9 million\n      new obligation authority transferred to Volpe.\n    \xe2\x80\xa2 DOT other customers have 196 active projects with a total of $88.7 million\n      new obligation authority transferred to Volpe.\n    \xe2\x80\xa2 Non-DOT other federal agencies have 126 active projects with a total of\n      $88.4 million new obligation authority transferred to Volpe.\n\x0c   \xe2\x80\xa2 Non-DOT state/local government clients have 16 active projects with a\n     total of $2 million new obligation authority transferred to Volpe.\n   \xe2\x80\xa2 Non-DOT private sector clients have 8 active projects with a total of $0.3\n     million new obligation authority transferred to Volpe.\n   \xe2\x80\xa2 Non-DOT international clients have 4 active projects with a total of $0.6\n     million new obligation authority transferred to Volpe.\n   \xe2\x80\xa2 Total number of active projects for all customers is 424 with a total new\n     obligation authority transferred to Volpe is $261.9 million.\n\nSource: Volpe\n\nTable 3. Volpe Systems Inventory\n\n   \xe2\x80\xa2 General Support System/LAN was included in the systems inventory and\n     received security certification review.\n   \xe2\x80\xa2 Administrative Support system was included in the systems inventory and\n     received security certification review.\n   \xe2\x80\xa2 Procurement system was included in the systems inventory and received\n     security certification review.\n   \xe2\x80\xa2 Data Warehouse system was not included in the systems inventory but\n     received security certification review.\n   \xe2\x80\xa2 Facility Physical Security system was not included in the systems inventory\n     and did not receive security certification review.\n\nSource: OIG based on DOT and Volpe data\n\x0c'